Assertion failure: consumer->isConsistentFloat32Use(use.use()), at jit/IonAnalysis.cpp:2250
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox86 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | fixed |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210309-5f0f6477c734 (debug build, run with --fuzzing-safe --differential-testing --no-threads --baseline-warmup-threshold=0 --scalar-replace-arguments --fast-warmup):
function testMathyFunction (f, inputs) {
for (var j = 0; j < inputs.length; ++j)
for (var k = 0; k < inputs.length; ++k)
f(inputs[j], inputs[k])
}
mathy5 = (function(x, y) { return (y | x); });
testMathyFunction(mathy5, [null, 1.7976931348623157e308]);
mathy1 = (function(foreign, heap) {
"use asm";
var ff = foreign.ff;
var Float32ArrayView = new Float32Array(heap);
function f(d0, i1) {
ff(Float32ArrayView[2]);
}
return f;
})({ ff: (function*(y) {}).bind()}, new SharedArrayBuffer(4096));
testMathyFunction(mathy1, [0, 0, new String(), -Infinity, new String(), -Infinity]);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557890dfa in (anonymous namespace)::TypeAnalyzer::analyze() ()
#1 0x0000555557885e01 in js::jit::ApplyTypeInformation(js::jit::MIRGenerator*, js::jit::MIRGraph&) ()
#2 0x000055555787f268 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) ()
#3 0x0000555557888ebc in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#4 0x000055555788a79e in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#5 0x000055555788b317 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#6 0x00000d9ad8b81715 in ?? ()
#7 0x0000000000000000 in ?? ()
rax 0x5555557e45a8 93824994919848
rbx 0x7ffff60ccfc8 140737321422792
rcx 0x555557fd7ff8 93825036812280
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffac50 140737488333904
rsp 0x7fffffffabd0 140737488333776
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff60e8090 140737321533584
r13 0x7ffff60e8d48 140737321536840
r14 0x7ffff60e8090 140737321533584
r15 0x7ffff60e8d58 140737321536856
rip 0x555557890dfa <(anonymous namespace)::TypeAnalyzer::analyze()+8474>
=> 0x555557890dfa <_ZN12_GLOBAL__N_112TypeAnalyzer7analyzeEv+8474>: movl $0x8ca,0x0
0x555557890e05 <_ZN12_GLOBAL__N_112TypeAnalyzer7analyzeEv+8485>: callq 0x555556a7cc1c <abort>
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210312153235-8fdbcaa80217.
The bug appears to have been introduced in the following build range:
Start: 7a4eff3b0038695935a0e530ad5762a6788932b5 (20210304234219)
End: b483df09813b5065b407d0657ba921b98a40a40c (20210304235007)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7a4eff3b0038695935a0e530ad5762a6788932b5&tochange=b483df09813b5065b407d0657ba921b98a40a40c
|
Assignee | |
Comment 3•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/afd3a56b45bf Fix type policy for GetInlinedArgument r=jandem
|
||
Comment 5•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 6•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210315214853-e8346137ae4e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
Description
•